First Boot Script

[MacCraftsman]

I have successfully used InstaDMG to create images that include createUser and clearReg packages. I have now created a First Boot script to set the computer name,
enable ARD and SSH access, set the Start Up disk and enable a Network Time server. I tested it by creating a loginhook in a terminal session on a newly imaged Mac.
It works perfectly. I am using an Intel powered iMac and OS X 10.5 My problem is that I do not know where to save this script so that it can be run on the first boot.
I am thinking about creating a System Config script which I would use as a post flight script in a payload free InstaDMG package. This would merely create the required
loginhook. Will this approach work? Where should I save the First Boot script? Any help greatly appreciated.

[blake]

I put our scripts into the /Library/Scripts directory and start them with a launchd plist that’s appropriate for the task. These are easily collected into a .pkg that can be added to your InstaDMG process.

If you are not familiar with lanchd plists grab a copy of lingon http://tuppis.com/lingon/ to make the plist.

blake

[walt]

Could you share the script you made?

[Rusty Myers]

I agree with blake. Here’s what I do.

Install script, lets call it “startup.sh” in /Library/Scripts/”myOrganization”/

I use a very simple launchd item that starts the script as root at first boot (I made my first few launchd items with Lingon). It’s called myOrganization.startup.sh and put into /Library/LaunchDaemons with these contents:

[code]

Disabled

Label
myOrganization.startup
ProgramArguments

sh
/Library/Scripts/myOrganization/startup.sh

RunAtLoad
[/code]

Make sure the launchd item is owned by root and the group is wheel. The permissions MUST be owner: read+write, group: read only, other: read only.
Lingon makes this very easy, but package maker has bit me a few times when packaging.

Post your results!
Rusty

(Edited by Patrick Fergus, 2:52 p.m. 5/18/09. Forum was eating your XML tags–I put it inside code tags)

[chops]

Sort of a n00b question here I guess: Is it better to have one script call another in order to chain them together, or can I just list them in the order I want them to run in the lauchd item?

I’ve been using the set-names.sh script for a few years and I’d like to call it during the first-boot process.

Seems like it may be useful to have a selection of scripts that could be used in different combinations depending on the desired configuration.

[Rusty Myers]

Good question.

I think that if you call all the scripts from the launchd, it will run them at the same time. This may be perfect in your situation.

I run three scripts that I have the computer reboot between each. The first one sets the date/time and some other minor changes. Then it sets the launchd item for the second script and reboots. The second script names the computer, using Bombich’s set-names script, then installs the launchd item for the third script and reboots. The third script then binds the computer to AD/OD and reboots. So, In my case, I want to reboot between scripts and putting them all together wouldn’t work in the way I have them built.

I’d like to get away from these scripts and move to Puppet for management. It seems like it will be easier to set machines up once the Puppet system is configured.

Rusty

[Patrick Fergus]

[QUOTE][u]Quote by: chops[/u][p]Sort of a n00b question here I guess: Is it better to have one script call another in order to chain them together, or can I just list them in the order I want them to run in the lauchd item?[/p][/QUOTE]——–

I think LaunchD only contains one executable (script) argument. You could try try installing two pkgs at InstaDMG time:

1. A pkg containing a script to install pkgs and a LaunchDaemon to call that script. The script looks installs pkgs as instructed by….
2. The product of running a second PKG at InstaDMG time that installs pkgs (a pkg of pkgs!) and an installation order file.

#1 wouldn’t need to change. #2 would be updated when any of the first boot pkgs gets revised or you want to change the installation order. Although you [i]could[/i] run everything in parallel via multiple LaunchDaemons, you probably will run into issues if you want to restart upon exit of one of those LaunchDaemons.

– Patrick

[nessts]

i have made all my firstboot scripts be perl scripts and if one needs to wait for another i have waitfor function that makes the script sleep until it stuff it has to wait for is finished then it, can run, in another function i wait for the existence of a file prior to proceeding etc., and i have about 6 firstboot type things that happen in launchd, then each script disables itself after successful completion. a couple of them reboot, after disabling so next time everything that was waiting for them will continue after boot. just an idea.

[chops]

Thanks, gentlemen. I’ll play with the different ways of stringing things together. Right now I’m toying with a modification of the first-boot script thespider posted on another thread here. I’m still thinking cuz I’m still building my application packages. Once I have them done I’ll start putting this into practice. A bunch of new CPUs should arrive next week so I’ll have a mix of Macs to play with.

Anyway, here’s what I’m considering:

First-boot script
–Time Zone Setup
–Set up Network Time Server
–Enable ARD for admin user
–Start Remote ssh login
–turn off .ds-store on network shares
–turn off time machine
–disable time machine in general
–disable time machine new disk requests
–Set hard drive name
–Hide sub 500UID users
–Disable Autmotic Software Updaters
–disable itunes update checking
–remove itunes store links (bandwith)
–Disable WINS so your Mac won’t show up as a windows SMB share
no reboot, then this hands off to

set hostname script
–set-names.sh
–replace previous launchd with the cleanup script
–reboot

cleanup script
–enable root account
–make it so root cannot ssh in remotely (edit or replace /etc/sshd_config for “PermitRootLogin no”)
–turn off Airport if present
–allow printer selection by non-admin users
–remove launchd item
–Make sure the permissons are correct
–reboot
–Self Destruct

Am I missing anything?

[knowmad]

Chops,
I figured I would weigh in with an opinion. Though I too am working on a first time boot script, much of what you are looking to do I have found it easier to do in the build (my opinion). I cannot stress enough the wonderful world of MCX records.
Learn em, use em, enjoy….

I think a good rule of thumb is that if the item needs to be set the same for all computers, set it (if you can) during build. If it needs to be specific to each machine, use a first boot script.

Addendum: If the setting should be never changed, use an MCX record (the exception being firewall, long story short, the MCX records load too late to set that at boot).

There are very few items in your list that cant be done ahead of time in your build.
If all root accounts will have the same password, you can enable it in the build.
The hostname item pretty much needs to be done after boot. The hiding of sub 500 users can be done ahead of boot BUT if you do that, you wont be able to add the admin account to the ARD list. So its a trade off.
The airport can be disabled through MCX, same with handling printer selection. The root removed from ssh, lso during build….

Below is my non-comprehensive list of items I play with using defaults write during the build…. the list of items I play with using MCX is growing rapidly and not easy to display right now….

[code]Defaults Write
#No .ds-store on network shares
defaults write com.apple.desktopservices DSDontWriteNetworkStores true

#turn off time machine
defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool YES

#disable time machine in general
defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 0

#disable time machine new disk requests
defaults write com.apple.TimeMachine DoNotOfferNewDisksForBackup 1

#Adds Recents Things Stack to dock
defaults write com.apple.dock persistent-others -array-add ‘{ “tile-data” = { “list-type” = 1; }; “tile-type” = “recents-tile”; }’

#Hide sub 500UID users
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE

#Hide SPecific users from the fast user and login window lists (Replace $USERNAME with users name)
defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array $USERNAME

#Hide the Other user from login etc.
defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE

#change status of the firewall: 0=off 1=on for specific services and 2=on for essential services
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1

#Globaly set the large print dialouge box
defaults write /Library/Preferences/.GlobalPreferences PMPrintingExpandedStateForPrint -bool TRUE

#use expanded save dialouges
defaults write -g NSNavPanelExpandedStateForSaveMode -bool TRUE

#use short name as default for logging into network shares
defaults write /Library/Preferences/com.apple.NetworkAuthorization UseDefaultName -bool NO
defaults write /Library/Preferences/com.apple.NetworkAuthorization UseShortName -bool YES

#set screen capture file format
defaults write com.apple.screencapture type pdf

#set the clock to display seconds
defaults write com.apple.MenuBarClock DisplaySeconds 1

#disable itunes update checking
defaults write com.apple.iTunes disableCheckForUpdates -bool YES

#remove itunes store links (bandwith)
defaults write com.apple.iTunes show-store-arrow-links -bool FALSE

#Change Login Window Background (I set a custom logon background pic)
defaults write $3/Library/Preferences/com.apple.loginwindow DesktopPicture /Library/LoginManagement/Login.jpg

#launch the login script (I use a login hook to display a security warning that must be agreed to)
defaults write $3/Library/Preferences/com.apple.loginwindow LoginHook /Library/LoginManagement/warning.sh

#these items can only be done after startup
#systemsetup use cannot address non-boot volume, so these are commented out
#systemsetup -settimezone America/Los_Angeles
#systemsetup -setusingnetworktime on
#systemsetup -setcomputersleep 180
#systemsetup -setdisplaysleep 30
#systemsetup -setcomputername NCI-Image-M

#Configure ARD – after startup
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users admin -privs -all -restart -agent -menu
[/code]

more when I have more time…. ie, never

[samplem]

Is it also possible to include along with the first boot script a pref copy (of which I use when building conventionally)? I’d like to customize the dock with specific apps that can be seen after I’ve booted up to create the first account. :question:

[Patrick Fergus]

[QUOTE][u]Quote by: chops[/u][p]Thanks, gentlemen. I’ll play with the different ways of stringing things together. Right now I’m toying with a modification of the first-boot script thespider posted on another thread here. I’m still thinking cuz I’m still building my application packages. Once I have them done I’ll start putting this into practice. A bunch of new CPUs should arrive next week so I’ll have a mix of Macs to play with.

Anyway, here’s what I’m considering…[/p][/QUOTE]—

[url=https://www.afp548.com/forum/viewtopic.php?showtopic=23593]See this thread for discussion[/url]–a lot of what you’re doing doesn’t have to be at first boot. You can bake it into your image at InstaDMG runtime.

Regarding Dock items, MCX is best. Prepopulating the User Template is ok, but painful if you ever want to change the defaults. If you have to go the User Template way, at least make your life easier and use the ideas in [url=http://www.macgeekery.com/tips/cli/adding_items_to_the_dock]this script[/url] to set up the Dock.

– Patrick

[Author]

Posts